Anthony Speaight | Data Retention, National Security and the ECJ: The Continuing Saga

The latest judgment in the saga of data retention provides further evidence of the problems and uncertainties created by the European Court of Justice.

First a recap on the story so far. Since the dawn of telecommunications the companies involved have been recording who use their services when, and from where. Apart from any other reason this information, which does not include a copy of the actual message, has often been required for billing purposes. Subject to judicial or other appropriate control of access, such information has been available to law enforcement agencies.

With the advent of the Islamist international terrorism, there was widely seen to be advantage in placing on a formal footing an obligation on such companies to retain such “Who? What? Where?” data for a period of time, so that when an individual came to the interest of law enforcement agencies information could be obtained not only on future communications but also on communications in the recent past. Accordingly in 2006 the EU enacted a Data Retention Directive.

The smooth operation of this system was thrown into doubt in 2014 by the ECJ holding in Digital Rights Ireland[1] that this entire Directive was invalid: the Court held the Directive to be incompatible with the EU Charter of Fundamental Rights. This decision came as a surprise, as it departed from previous decisions of both the European Court of Human Rights[2] and the ECJ itself[3]. The UK Parliament then hastily enacted the Data Retention and Investigatory Powers Act 2014 in order to retain a basis in law for the obligation of retention in the UK. Other European countries with security concerns took equivalent action.

Two prominent British MPs, Tom Watson MP and (perhaps unexpectedly) Dave Davis MP, commenced litigation to have parts of the 2014 Act declared invalid on the ground that it was outside Parliament’s competence to legislate incompatibly with the EU Charter as expounded in the ECJ decision. They succeeded at first instance, but the Court of Appeal inclined against their argument. Regarding the issue, however, as one which was arguable both ways, the Court of Appeal referred the case to the ECJ for a preliminary opinion[4]. It is important to observe that the British claimants’ concerns were essentially that there should be better safeguards before security services had access, and that they did not object to retention of data in principle.

In Luxembourg the Watson case (Davis now having removed his name from the proceedings) was conjoined with a reference from Sweden which raised a similar issue in connection with Swedish data retention requirements. In Tele2 and Watson in December 2016 the CJEU held that EU law does precludes a member state from domestic legislation imposing a general obligation to retain data[5]. The Court went further than the Claimants had argued: amongst other novelties, the Court held that any data so acquired must be retained within the EU[6]. The Court rejected the advice of its Advocate-General, who had inter alia cited the view of the French Government that access to communications data had been useful in its investigations into the terrorist attacks in France in 2015.

Up to a point the Watson litigation has now become academic. That is because since 1 January 2017 it been replaced by new legislation, and currently bulk data is collected by security authorities under an older power in the Telecommunications Act 1984. However, the implication of Tele2 and Watson is that these provisions should also be held to be of no effect as contrary to EU law.

The problems caused by these Luxembourg Court decisions will take a slightly different form upon the UK’s exit from the EU, but will not disappear. The UK will not be able to ignore EU law: indeed, the Government is already in the process of implementing the EU’s new data protection framework, and plans to retain this after Brexit[7]. But data exchange between British and EU-27 security authorities could face a prohibition.

After a curious delay the opinion given by the ECJ on the reference in the Watson case was finally considered by the Court of Appeal very recently. Judgment thereon was handed down on 30th January 2018. The Court had great difficulty in determining what the ECJ had really decided. “I regret to say”, said Lord Lloyd-Jones, “that the task facing this court is far from easy in view of the fact that the preliminary ruling from the CJEU is lacking in clarity”[8].

One of the reasons for the difficulty was that the ECJ nowhere addressed the factor that national security is expressly excluded from the competence of the EU. Art 4(2) of the Treaty on European Union states emphatically: “National security remains the sole responsibility of each Member State”. The conundrum of whether, in consequence of this limitation on EU competence, the effect of the Tele2 judgment could cover anything beyond crime which did not threaten national security, in other words whether it must be limited to normal domestic crime, is already on its way to the ECJ thanks to another reference from the UK in Privacy International v Foreign Secretary[9]. Accordingly, the Court of Appeal’s declarations were silent in respect of the national security aspect of data retention: the declaration was confined to holding that the 2014 Act was inconsistent with EU law in so far as it permitted access in a domestic context where fighting serious crime was not the objective, and where there was no independent prior review before access was granted.

The Court of Appeal declined to grant a declaration that data must be retained within the EU. Although Lord Lloyd Jones accepted that on its face the judgment expressed an absolute, unconditional ban on such transfer, he noted that the claimants had not argued for such a ban. Therefore, he considered there was “considerable uncertainty” about this requirement.

Another feature of the Tele2 judgment on which the Court of Appeal declined to make a declaration was the proposition that there must be an ex post facto notification to a person if there has been access to his data. This requirement, which could be damaging to investigations and surveillance, was another element of the judgment where the the ECJ went further than the Claimants had asked.

One final aspect of the ECJ judgment on which the Court of Appeal declined to make a declaration was the proposition that there must be an identified public whose data was likely to reveal a direct or indirect link with serious crime. Commentators have found this requirement wholly impracticable. Once again the Court of Appeal decided that this feature would be best left open until after the ECJ has reconsidered the topic in the pending Privacy International reference.

Criticism of the Tele2 judgment is not confined to Eurosceptics. It was roundly condemned by all the participants on a panel about the case at a meeting of the Society of Conservative Lawyers held on 22nd January 2018. David Anderson QC, the immediate past Independent Reviewer of Terrorism Legislation, said that, having had personal involvement in over 100 cases at the ECJ, this was the worst judgment he knew. Dominic Grieve QC MP was equally forthright in his criticism. A distinguished member of the French Bar, Francois-Henri Briard, shared their views and offered this way forward:

“What can we do? You can do like the French, keep your own domestic law (article R10-13 III of CPCE which provides one year of compulsory general retention) and ignore the European fantasy; also, we can work together on changing the Luxemburg case-law and move to more realistic approach; jurisprudence is alive and moving; ECJ is a court, made of men and women; this will be the job of conservative lawyers to move to the right direction, with good judicial nominations and good pleadings, we can make it.”[10]